Implement request message verification to ensure that Checkout and Submit Order requests to your fulfillment endpoint come from Google and prevent unauthorized third parties from calling your endpoint.
Message verification using JWT
Requests to your fulfillment endpoint that come from Ordering End-to-End servers contain a signed
JSON Web Token (JWT) in the Authorization
header for security. The token is generated
by a shared authorization service that can be called by both Google and your fulfillment endpoint
implementation.
- Google generates a signed JWT using the authorization service and the project ID of your Food Ordering project.
- Google sends the signed token in the
Authorization
header of every request to your fulfillment endpoint. - Your endpoint must decode the signed token using the Google Auth Library. The decoded token contains details such as the project ID, issuer, expiration time, and issued time. Use this data to determine the authenticity of the request.
To implement request verification for your project, follow these steps:
- Extract the JWT from the
Authorization
header of incoming requests. - Decode the token using the Google Auth Library.
- Set the
audience
of the token to your project ID. - Verify the issuer, project ID, and other information contained in the token payload for accuracy.
Google Authorization Library
To verify messages from Ordering End-to-End and to generate authorization codes for messages your web service sends to Google, use the Google Auth Library in the programming language of your choice:
Download and add one of these libraries to your web service implementation code.
Request verification examples
The following examples demonstrate how to implement request verification:
Node.js
const auth = require('google-auth-library') const authClient = new auth.OAuth2Client() /** * Verifies that an incoming request came from Google. * @param {String} idToken - The ID token used to verify the request * (i.e. The value found in the Authorization header of an incoming request). * @param {String} audience - The expected audience of the request * (i.e. The project ID for your project). * @return {boolean} True if request came from Google, false otherwise. */ function isRequestFromGoogle(idToken, audience) { authClient.verifyIdToken({idToken, audience}, (err, info) => { return !(err || info['iss'] !== 'https://accounts.google.com') }) }
Python
from google.oauth2 import id_token from google.auth.transport import requests def isRequestFromGoogle(audience, token): """ Verifies that an incoming request came from Google. Args: audience (str): The expected audience of the request (i.e. The project ID for your project) token (str): The ID token used to verify the request (i.e. The value found in the Authorization header of an incoming request) Returns: True if the request came from Google, False otherwise. """ id_info = id_token.verify_oauth2_token(token, requests.Request(), audience) return id_info['iss'] == 'https://accounts.google.com'
Java
/** * Verifies that an incoming request came from Google. * @param audience The expected audience of the request * (i.e. The project ID for your project) * @param token The ID token used to verify the request * (i.e. The value found in the Authorization * header of an incoming request) * @return {@code true} if request is from Google, else {@code false} */ public boolean isRequestFromGoogle(String audience, String token) { GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier .Builder(transport, jsonFactory) .setAudience(Collections.singletonList(audience)) .build(); GoogleIdToken idToken = verifier.verify(token); if (idToken == null) return false; Payload payload = idToken.getPayload(); String issuer = (String) payload.get("iss"); return issuer.equals("https://accounts.google.com"); }